This detection rule identifies FTP connections originating from processes that are installed outside of standard directory paths on Windows systems, using Sysmon Event Code 3. Often, processes outside of common directories like 'Program Files' and 'Windows\System32' point to potentially malicious behaviors, especially when using FTP for data exfiltration. The rule monitors for connections to FTP protocols on destination port 21, which is widely recognized for command and control (C2) communications for malware such as AgentTesla. By analyzing the location of the process image paths for these connections, the rule can highlight abnormal behavior that may necessitate further investigation.